More than 1.6 million documents containing sensitive personal data from India’s police, military personnel, teachers, and railway workers were exposed online, according to a report by WebsitePlanet.
Cybersecurity researcher Jeremiah Fowler discovered a database without password protection containing 496.4 GB of data, which reportedly might have been offered for sale on a dark web-related Telegram group.
The data, linked to ThoughtGreen Technologies and Timing Technologies, included biometric information such as facial scans and fingerprints, identifying marks such as tattoos or scars, and personal identification documents such as birth certificates and employment records.
“The records span from 2021-2024 and were actively updating in real time during my research,” Fowler said in the report. “There were 284,535 documents marked as Physical Efficiency Test (PET) for police and law enforcement officers. The database also stored images of 143,173 signatures and a very large number of PDF documents that contained the name, images, and fingerprints of multiple individuals.”
ThoughtGreen Technologies and Timing Technologies are both based in Hyderabad. Timing Technologies, according to its website, has experience in managing recruitment drives involving physical tests for various Indian organizations, including the Army, Police, and Railway.
Both companies have not responded to attempts to contact them through their websites.
Fowler also found numerous folders with application and development files in the exposed database, which raises additional security concerns. Exposed files can allow hackers to tamper with application code, potentially injecting malware. This could enable unauthorized access to extensive user data, including personal and login information.
Increase in attacks targeting India
The report underscores ongoing vulnerabilities in Indian cybersecurity.
A Cisco survey last year showed that nearly 80% of Indian respondents reported cybersecurity incidents, significantly higher than the global average. These incidents often come with hefty financial consequences, costing over half of the affected Indian organizations at least $500,000.
India has experienced multiple cyberattacks targeting major organizations in recent years.
Last year, a Russian hacktivist group compromised the health management information system of India, potentially endangering the health data of millions of citizens.
In 2022, the country’s top medical institute, All India Institute of Medical Sciences (AIIMS), was crippled by a ransomware attack, forcing it to revert to manual operations and disrupting several key services.
In 2021, a cybersecurity breach at Air India compromised the personal data of 4.5 million passengers. Additionally, that same year, the personal details of 500,000 Indian police personnel were offered for sale on a data-sharing forum.
In another incident, exam data and results for 190,000 candidates from a 2020 national-level competitive exam were leaked and sold on a cybercrime forum.
Implications of the latest leak
In the WebsitePlanet report, Fowler highlighted that the exposure of biometric data from police, military, and railway workers poses severe security and privacy risks. The data, crucial for identity verification and anti-impersonation measures, could be exploited for malicious activities if accessed by unauthorized parties.
“For example, a criminal could use the exposed data to impersonate another individual — in this case, it could be someone who works in law enforcement or the army, which could lead to possible national security concerns,” Fowler said in the report. “Hypothetically, a criminal could replace the image, fingerprint, and other data inside the database with those of an impersonator, who would then pass the biometric identity test as the face and prints match those in the exposed database.”
Such data leaks could get more complicated with some of the new laws. In 2022, India enacted a law permitting police and prison officers to collect identifiable information such as fingerprints and biological samples from convicts or those arrested for an offense.